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1 

[tt#a l ] =i >bTa— ^ ■ i/7.-rAj3tfHr3r^ y t- 

(a) BUlB3>h°3.— ^ • ^xA<Dx— 

(b) Miax-^^-7>fc<ta 5 'Btfia3>t:°^-^ • 

(c) Buia^-T 1 ^^ (b) ©liS^Ao-Cff^tiSIBBB 
-ecD^s Miai^^>*i^ hCHuianyb'n-^ • ->^r- 

^9 Y is &zf h t:^UT7 v^" h y 
SB?iJ3 *k «k y iftv * 7^w s ffiElW*(ilH y S 
<fc y {fiv * 1"<;V(D =? *MfiV -f ^ B&fS*Ct J 'J 

s-c&ft. y 

SEK. Mia^-^^-7>i*ifcJ;tJ 1 mfia3>t' , 3.-^ • f 

xxAftKsan^nT^s-fe^rny-r-f • #y 

y r--r >^ h y • r^-t^«u»)Rtt®W3!W) 

■fe y h *^FJ y ST ti«c DWi flfeOffi^cDyJ- :7s/x 

fax— ^KSaitStk ^oMianytfn— ^ • 

7>5 i Art(ziija^n^BUBaH2^^yT-'r • ^v^-^m 

[M*S3] 3>bT a—* • ^xAfficDir^yx 

(a) Mian >tT a.— # • ^TAfflT-3"<-^ffl 

^'jf-f • ^y->-*Bai«i-s^x-y^, 

(b) tsaa-r— ^*j«tr^if8B3>tfi— ^ • 

t^-^ ■ ^xA*^^^ ©#£CD1*yS/*x^ b 

^^A(D^^iais$ tvxv >s#^co/i< y s/— 4ife^t 

(c) ffiExf*;^ (b) ®*SSfc.fc-3TttS*iS«H8 
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■y-^i/*xi7 h tS&Tf&Xfi?*? h witv^ b y 
■SFUSnTisy, 

lusax-^^-^fci^BUBa^vt 0 ^-^ 
xArttcaattstitr^s-ir^ay xf • #y i-tfco 

v>#>y • 7^-b^.»7^^&wr5^^>*xi7 h 

[M*S4] ff*S3aatto^?S{'fev>T, iiufa-r- 

staB-fe^y-r-r • #yf— fcteo-c, *s$gBkDv 
>*>y • T^-trxfgij^^^suyatfjn/c-y-^ 

x^w^fi. hk, itutafWaovv^hy • T^-fe* 

ttt i fflo^r— /<f y r--f *m y ax ?>^s - £ £#m 

[ft#Jg 5 ] 3 • $/^r AffltfHr ^ 3. y t- 

(a) luBanvH"^-— ^ • 
fciO'MBanyti^-iS? • i/7.T-Ag^:coctq(^ -fe 

^■Jr-f -^y^-4ia«1-«^T-y^i:. 

(b) MaBx-^^-7.fcJ:^BUBa=i>li°^-^ • i/A 

(cmlt, suiax— T.feitJ'BtjBanvt:^— ^ • 
->xxA(D^{caais$nTv^s#s©^y^— t^-r 

^ (c) HuiaTvx^y (b) <mmz&vxtK-zto&im 

A^CDT^-tr^^fFRT-r^^.T'^y^, tii^ 

se^j^ttTfcy, 

xA(*|{"8B«^tiTt^-t^3.yxi' • i$Vi/—lz$E-o 
40 ^ h^fijy STt>tk K^-^x^bti mfiaffiiiF'gcD 
y^x^htcT^-t^Ftrtg-eis, ^^*#®t-t^^ 

(a) mJaanven.-^ • ->7.t-AcDt— ^.(0 
*3.y-r-f • ^y^-tlBflrt-S^T-y^i:. 
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(c) mjia^xy:/ (b) (DJSSfcJioTttsnsffiHH 
h*5«fctf4M-^x* M^Uv^h y 

(a) mfganvtfo.— # • iy*7-2±CD7 : —5"<—7>(D 

(b) tuga^— ^fc^rmsan^a.— # • ^ 

KfcfLT. Buiax-^^-^fcck^BuBanvn^-^ • 
^.x-r A0>4» C8Bflt*nTv >S«r3£©rf< y ->-£#«£i- 

(c) mfiax^^y (b) <DlB*K.fcoTif3*v5lBffl 

saia^— ^.tJitfawanvifa.— # • s/.*t\a 

y h £ 

f-f -ty h^Buia?3-^>*i^ hcogsj^-^fc'y^-i' 
• -by M*jco$w<fcfy f-f4'C**t'S^i:©* > mi 
fa^T^x? hfilWB^^x^ Mcj^-bT/f SCL 

(b) lifffix-^^-^fcitfiiraa^^tri— * • i/x 
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(c) twax-r^:/ (b) ©<g*m:oTai i $n6«Bfl 

A^©7^-b*£ifrRr-t£*^y.yi:, 

Busa^-^^-^fi 

v 7*J^? v \zm y m x h ±>r tr y t- -r ko v ^ 

Buaa^-^^-^fcct^mfaanvt'a.-^ • s/* 
^AK§attstvxv^si3ia-t#iy -r-f • ^y->-i^ 

ejf-f • -by hfc©^-^yx-rfc»t3.i:** a> 
a^-ir-^tfy x^^Buaa-y-^'x^ h©^^-^t' 

a.— +f • ^e— H • u— a >CQ3S^ja s Bu8a3 >ti° 

*ra&$--^tfyx-f • -ty hft^-cDgiifnrtgy-/^'y 
^ ^-f --fey h^Kia^-rs^-ry^, 

©#^— ^try x-f • -b y h ft-f-oaf^w^ey t- 

• -b -y h < HSSi-S7«xy 7 

^ hroW-^k'Vr-f • -by h%*©g|j|eRrffi^r- 
/<lfy -r-r • -by h(c^L<8S^-t6^xyyi:. 

wwm^-^f ■ =6- H • *^k-->a >©^j^miian 

^f'Jf^ • -by hiftAP^.^t©(c#L/<lgS-rS7> 

[!S*« 10] n Vtfn--^ • iy^v-Am(D^=L y 

(a) fiuian Vf-H.— # • ^fAfflf- ^.co 
tf, fcJ;t>*BUia=i>lf^-^ • ^xAS^cfUz, -b 

*ayf-f • ^y^-fesattrt-s^-ry^i:. 



5 

7-^z^nh<Dim^MMm^7^^^u it-nan > 

x ACD* KfattS tVT V ^ £!Rf U $/- ft 

(c) BUHe^xy^ (b) ©jig^ioT^nsniBa 
hk. jfnf*. igp.—- y-7>** y h y — ^ ^©Di 

M&S-fe y hOSffilAtit&ttl U STRfffiT?**, d i: ft 
[fS^fi 11] 3 • WtA^^iIJ 

(a) BUaa=i>t:°^— ^ • i/X^ACD-r— .XCD 
fc±tf ; H!Jsa3>t:' , 3.-# ■ ^^Ag^cDcf^ -fe 

(b) Buia^-^^-Tsfeit^Bifianvt^-^ • 
7-&i~ztoh<Diffl$*£.mfflbKT9-texu Buian> 

t:^— # • ->XxAft^f5y94'CD^/£co-y-7 f ^^ b 

fc*ruc, Busax-^^-T.fccto'Boaa^vii"^-^ • 

^xAcd* t~gB1t£ *vr v ^5#^cd^ y *>— ft 

(c) fuga^xy:/ (b) cDMI&KcfcoTffSnSfgH 

T'©^ mi&y-7y^i? bt'tuBa^vif^-^ ■ s/*-f 

A^OT^-b^.ftifRr-tST.^^yi:, ftit*., 
mffax-#^-*f±. MR©^--^ y =7-4 fc^fcW 
^-/^*ijf-f --feybft^s 4W— ^fcfy-r-ftt. 

jet;, Htfiax-^^-^WJ'iait^nT^s-t^^y^ 

[0 0 0 1] 

yx^ati^Mi-st»<Dt?*s 0 :©t^ijf^-> 

^xAli, ti*«3>bri— # • ^T.xAt'MLTT^-t 
*ftfrtS*>i:, -a^^A^T^-b^^tt/ci:^^ 
*xAcoKill^cD7^-fc 7.£>$Sffi i: fciHSfciMSr* 3 % 

[0 0 0 2] 
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• * y b V-t> t & U , B#i: U-CififiS&flsfcJgtfr 
^3CDT\ nvfc'a.— # • :>;*.xA_hCDlt$Rft. iSffoJ 

[0 0 0 3] *S©ilSA'C'fcS < x— # • 5/3:^.7^ 

• 3 — iHls— XData GeneralCorporation)t£, d 
/<? <D#»T?»±, J^ta*^?g»)WX'*y. 1 9 94^8^1: 

nyfa-^ • ir^y-xi' • '>X^Aft#AU7t„ 3 
cDn>b°n.— ^ • t^fa'Jf^ • i/*T&l£. x— # • 
^x* ^JV(Dmmm<D9tM<DD G/U XrL- «/ ftg 

DG/UX^U-f-f >^ • ^xA • T-=¥t- 
[0 0 0 4] fikfe<7>t?#;iy^ -->^T-A(r#-5±^ 

• ^^.xA^^'vCO IMrL— +f (super-use 
r) j 7^-b*ft-^.&tt*vl;£&f>-f, «oti*©ffl 

»w^tboiwf-7^-4r ft^m ufc y s &£xf/i£tz.\m. 
30 9 ■ ->^.-rA(cMALf#sy-r^(rBg-tst;<DT** 

[0 0 0 5] 

^ • WAiCt^aiJr-i' • ^xAftM^i: U 
i*£*i#*n >fa- • ->^^A±cDiEfiS(ci:cr)n>t:a. 
-^^tgfc <± tf tMf 5Ti7-feXft*i-S*MCO 
40 v^T, #*^f&JPlftflS@S-rS^(DT'*€.o ^Bjco-tr=¥ 

a'jf-f • -y^^co^oymimmcD^mtux, y 
ftfi£^-rsc ^^T'tsM^y-r^*^* 
»r«A*fcj*te«w-* ^ 1 1, R&jt-r s. 

[0 0 0 6] 

[ISaftS^i-5/c«)C0^@] ^^BjCO-b^rnyx-f • 
^^Afi, iS*tt»r, nyti^-^atlo^ft, ft 
St £*v5?#fg(privi lege)(^^i!JU. 3.— If A*3 Vtf 
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-- y* K£fcS«tf8fcai»J STS ci t ft^fro 
[0007] ^g-x-* • ;i/*/cJ«-©fl&© 
^rASilhi:, fci^rL— y-' ■ yn-t7s±C -fe 
^•Jf^ • 7^>l/ftgflg-r3„ 7^/HwfipgH%K 

TOfSfflfcU -tlfj^^^WcS-p'v^ -fe + a'jT- 

(clearance range) fc&J&t *. ^^KOpgJBfc 
(0H*.tf3) CDM$cK#§UU 1 OCD^ILhTWP 

■rs a.— 9-* • -fu-t^ »nr, #iitfca*»< rases 

;h-5*§^ftl&^T. #iOllB*K7**;vt3;:fc£fte 

[0 0 0 8] J£K, ftST-d' • 7 7-f;KD#r##»£S 
T-T ^Wr*aR«:K»S - £ ftfr^tvcfc y . ?<Dfi 

x-f ft#fttt5^-— V<T>h&W£7 7 

^^cDT^-fe^. ft3I#-t3 i £ **T* £ 3 J; 9 d&oT 
[0 0 0 9] 

[0 0 10] y/jtx.? h : -X-JV^V h^T^-tTsi" 

[0011] 7°P-fe.X : =L— tftDfWJ 

tttc ioT^flsSflS 1 ffi©fMfflt£HJ3«(credential) 
* W"T -5 SM7 ^ -r -T 7lC HfJ^CQ ^ D ^ A. 
[0 0 12] h : ^l/— ^>3 >CD@^T'* 

[0 0 13] ->3> : i/7.^rI*frb<DV— 

[0 0 14] mm(Dfctb(D>r-;^V T^ttMKcapabi 1 
ity mechanism) 

sKfimBw-b^yx-f • ^fAli, yn-feT^-f-tD^ 
^©KWtraj-tii:**^** lfficDy-^eux-r (* 
fciiWW) fc&7n**fc#jyg-csii:**T?£s. t 
-WJ x-f **xA*^1Te**i#7*-fe 
x % gurr S 7 r -f Jl'ft HB < 7 tf y X (ab i 1 i ty) T*& 
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t a*r-#-s i KB.©RriB'&'5r— /<tf y r^w^t fc-y-TV 

x^ ht^RT-T— -r-f • -fe y h (subject permitted 
.capability set) (110103 afc^t^l 0 3 b ft# 

[0 0 15] YWb'r—f^f. 
!)T-f • -fey h (subject effect ivecapabil ity set) 

(1 0 4 afcitn 0 4 b) feW-tS 0 CCD-fey 
/<? flrRTCr— ^fc*y x-f • -fey r-CDIfy-fey hT'&9> ±aB 
7 , D-fe^^'^?t7-y— h (assert) l^— ^ 3 >ft^g 

tf-r§ lfficox-^^tfyx-rw-^T'^s., bp*>, 

[0 0 16] KffcUT, yn^7 ^ AOT^T't' 

^syD-fe^cot^RrT— ^kTUr-f - -fey h£— Pf 

if (iiift 3 ti ?j CD 7 7 -f 7 ^ 'fe ^> ft rT $ *vc ^ 

Ht'^o/cgWcD/ciDficD^ffiv^ttSC i: ft^SliE-rs 
ffiaftfiv\ ±IB#S'JcD'7--/^t;y x-r H*! 

[0017] zo^^mi^-^v^ix ?V 

^^A±X-l^. -X-JV^V hffor^- ^''Jr-f - -fey 
h (10 6) i: LTaB'll^ttSo M:J3ItS^ 

^SKC, — KKj^^CDXD-fe^^pT^nSo ^-^>' 

-e^Ma-rsf&cDx-^^'yx'r --t 

y hftWi-Sdii^X't, -f-CDdiifiian^^ttSJ; 
5i:t"d^7A& -T S v ^-f -fe 7- \zM 0 ^ 
-r^tiS'ir-^^'yx'rft^il-tSo mz.fo $>z>7a 

40 -fe7.^*>S^D^ACDSIfTft^U/ct^. 

^haWr-^fc'U-r-rtt. -fey b*S^M#^(set uni 
on operator) (110) Ciot, Si^^D-fe^CDl^nT 

x-^t*y x-r izfflazix v^v^v ht^nr-fey h 

-fey h5C^M^^(set intersection operator) 
(10 9) K±oT. -9-7*^1^ h^-fey h(subject 
bounding set) (JjHTt-tfrf S) tUBBR^n*. 
[0 0 18] -fey h 1 0 2 a(i -y-^'x^ hglffiqTtl 
■7" — ^IfUT-f • -fey b(subject inheritable capabil 
ity set)T**U, *S7 ,, 0-fe7.*^cD7 ? n-fe7.{' < toT 
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-^k''Jf^li \vf*UD*7*Jx.9 wmr—/*\*v 
7-4 ■ -by h*^<D#in : fc^<> :ia>7n-b.xa9tljtfyr 

imm(DV^Z/^ hmtffll&zy h (10 2a) fcfc 

h (10 2 b) *tBKA®J«|Mry hfcM-f 

S3iin*#ayx^*aSS«:KK. dftfcovvcBJeiTT- 

^ini^-^t'VT-ffe, '&(Q7visf7&[zmir(D jo 

h S HKBTI&t y h K tf JD $ n£ d t U X & V ^ t> T 

[0 0 19] ±M<DffiMl& ii*fc*JVT IEEE P 
OS I X-fe^D^-r • ^T-A^^ttT^/c #£B 

[0 0 2 0] -y-:/s>x* h^J 1 ^— ^tfy x-Y • -t y h 
(subject bounding capability set) (10 1a, 10 20 
1 b) ££«i-5„ Cttfi, yn-t^*^f#L/f#€>y- 

i^-t y h ^iiip^it's z. £ »*^qrii-e**. 0 1 i^-t 

dco-byMi. (fifl*. 
t£ *>*>lr7*J*9 bWby h* s . 7t<W7V3L9 b 
J^ryh«fc»Jt»/Jv£v^!§£) . WWW*? b ->r 

d*«zJ:U, y-^ey7^£3S#-rS^n-b*cD7fc:* 

TV v&v va.— Jt$»Hj/.b-£ v -b y b &ay u a 
TtUSJ: <, \ tz £ *. £ ©J.— tf »«B9!<DaRS'J(adai n i s t r 
at i ve i dent i ty) £ §| 6 ( takeon) J; ffffl-f S i: 

[0021] jgKEUcD^y^LT. Qmsvmrlxi 
(10 5) t^-TSC 4:**T?£, mS&r7V*9 40 

y-^fyr-f • -by bi*7v?7j*(Dwmbtipi~y-7 

VilV hJJS|SL^r-/<tTUT-f • "by b (10 1a) h£ 
^(intersect) £-t±T. -fvifv&t&gn UT^SIffl* 
»£&Sfrfc*:-!J-:/$>:n* MftlMry b (l 0 l b) £ 

b • >r— ^fcTy-r-r • -by b<D£T, #(c^Rf-by b 
(10 3b) fcckt>"*^j-by b (104b) £»T5 

[0022] -ti^hmm so 
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-f V-r— '> 3 *KMt£^:n >y d t £ 

<s&M.V>>T—> < tf y -T -r flxfiFffi % ifi^ oi y ^ f 3 & 

li ^w^yx^KBBUTSgjssnssaBK^^y 

t- -Y • # 'J *£IMAK «fc -a T£fe££ tvS: tt*Ui 

^p>-r, m*<DV--( h{i^coisi-4<y^-$:f^fflu^w 

«Mi: i i: ^ «fc o Tffl* <D^$:^JB-r S J:^CtS 

-r^>hi:(±. r-tr^3.yx^niiiijii-5¥ij»f*^$n 

3i y ^ -r s t- A {r^ U /c t # . -^-cd 

-T^O'hi&fefflv^, aK^D-b^*%fWL^xy^{c: 

-/^*y T4<a&tzfcJE-t*>ftim ZWiV&Z. £t,z J; o 
T, ■y-'T M*. t^'Jr-f • ^xA^^f'Mtii^n 

^ ti^^> h/^-^fj r-r • AHy->-{^jax. 
th y t/- fe^urr* «t ^ wfA ^jfm-t s ^ t ^ortg 

[0 0 2 3] ^l/-'>3V(Q^7»'y h>fb(bracketin 
I) 

• -by h (io4b) (Dmmmnm^k\s. m&m 
zz^-jcDrt^v-^B vastus „ 

[0 0 2 4] !BiK. j.—- if • Jr^u— i/HMi 

Erus!ife®#L^t^. s#^tv^7r-r;w-T^-b^-r 

D-b^.©*«Hr— y t^-y • -by h ( l 0 4 b) {*. 

?(D3\%mmzv h (102b) iz*§L<m.fe-znz> 0 

Zz*£Z£h, ZMX*7i/3i? hi^pT-by b (10 6) 
f>co^#*%v\ — ]f(D*r — ^"^tfy ~f~ -i Z-StifrbX* 

>*m7isX\,>z>mvmmi<nz>o 

[0 0 2 5] m2l^ '>^fA • ^l/— S/3>J*. T5T 
i6T?**Hi^-ri»*^l #«*s«C{tt«i!Sc ib^^t COT- 

nftWBWt-stsr^ 3im^--if^{*T^-b7«^RT^^ 

V^COT*, i/T^fK ■ 7}-^ I/— >T-*S„ 3C0ii^-. 
yD-t^>cDW^— /-^t'y tV • -by h (10 4b) 
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»*. *<D$m>r-W) : r'( ■ -by b (l 0 3 b) (r^ 
L<|g^^tvS„ ^^Rr^-^t'yx-f • -by H£ 

^t'lJr-f (10 6) $:))\\Z-tz.t J <D*m.t>-t 0 

[0 0 2 6] mW.^. itW(augnented)3.— if • Jr«-U 
-i/ 3 fi^.— if • -> 3 >T'&6 

Kt>ttte1*, haWry b (10 6) *>*b© 

• -try h*7ns?7&±x-m7£fZ>Wr£T'&?> a . zti w 

s 0 ^©*§£\ -fu^mh^y b (104b) fi-y-y 

h Blffiort^ yh (10 2b) J^U < itf 

^^>*X^ hfWb V b (10 3b) ^©flJt© 

^-^ey-r-fj&sfflinsns. 
[0 0 2 7] r^^vMbj ^v^fflagti, WtA 
• ^1/— ->3 >*/c{iiiffla.— if • ^I/— J/ 3 >© 

rmmi'V-y-y'^ hearty b do 4b) wowau 

fj&fc&ffiT'f^ ^^yMbfi. if • 

(10 4b) «J U^iE-r S fc©©tt# 

[0 0 2 8] B2fca*-f«fc5fc. 
If^&lX m%mi^ if • Ji-^U— : ^aVfflfcfti: 

©$r— /<try x-r^fiHi. /n^Aiti- if • 

^3 y£fzi3Mti&3.— if • ^k—>3 

^■-/^'ijf-f • -by h (10 4b) cDtfT'jg^y- 
-rtfcfy -r-f fe-f T/^U *>a >©ittf£ 

\~WMr—*\£V f^'tyb ( l 0 4 b) <D<fT'J.- 
1f • ^ 3 > • ^r— A \£V T-f -*yh*'Jty 

3>©**)Uu: W-iryH fcJ&S-ts. ^£>i-5K 
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#n-if ©<!r-^ tf y -r -f ©^T'^ltrt So * § i/7s=r 
A • jJ-^U— S/3>{I#^LT<6:-S^r— /^try-r-fO 
*©ft*> y {3, SS^7,f A • 1/— 3 >(^5£ffl rT 
UBSc^T©^-^ y x-f 

*sn#©y->'^'y T--r ^>7.fA • ->3 v© 

[0 0 2 9] *fB9ll4. ®XmB&*) bfvtry bit* 
LtW-^e'jT'f • -fey h (10 4b) 5:PI5-r 

s&ga*&v\ -R*>yc, ^--if^Mm^f-rsii^^ 

[0 0 3 0] V>^>1) • 7^-b;^E!]ffl)(mandatory acc 
ess control) 

t'<D^u-ya ^%^T-*s*^B8i/T, -e©yo 

Mi, mfeftX'fi/T-? b~><Dy-7i/2L? b(D7?^* 
[0 0 3 1] ^*n©v>^hu • 7*-te**l» (MA 

[0 0 3 2] 1. pg»S^ 0 itw*. JBS^M^^tu. 

[0 0 3 3] 2. TJ^^'J-'-tr-yhS^ M#t^[*M 
^<b;tTr; *f3fttiScSxy7(area) «MK*fcl4»»0 

♦#) . 

[0 0 3 4] in^C0MAC7^Wi|S[Wj:f&??:i 
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1. Title of Invention 

SECURITY SYSTEM FOR COMPUTER SYSTEMS 

2. Claims 

1. A security control method for a computer system, said method comprising steps of: 

(a) storing in a database of said computer system and in the computer system itself security 
policies: 

(b) continual ry accessing said database and che computer system during use thereof in order 
to determine the specific policy stored therein with respect to a particular subject prescctry using 
the computer system; and 

(c) allowing che subject access co said computer system only to the extent allowed by the 
results of step (b); 

wherein said database and computer system contains Mandatary Access control labels for each 
subject and each object, said labels being arranged in a hierarchical lames, with die higher level 
labels being assigned to an administrative region, ,the intermediate level labels being assigned, to a 
user region and the lower level labels being assigned to a virus prevention region; and 

further wherein, according to che security policy stored in said database and in the computer sys- 
tem, a subject operating in ooe Mandatory Access Control region is aot allowed to access an object 
in an other region unless a special capability or a special set of Mandatory Access Control attributes 
is assigned to the subject. 

2. The method of claim I further wherein, according to the security policy stored in said database 
and embodied io said computer system, subjects are only allowed to run programs which have 
Mandatory Access Control labels in said virus prevention region. 

3. A security control method for a computer system, said method comprising steps oft 

(a) storing in a database of said computer system and in the computer system itself security 
policies; 
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(b) continually accessing said database and the computer system during use (hereof in order 
to determine the specific policy stored therein with respect to a particular subject presently using 
the computer system: and 

(c) allowing the subject access to said computer system only co the extent allowed by toe 
results of step (b); 

wherein said database and computer system contains Mandatory Access control labels for each 
subject and each object, said labels being arranged in a hierarchical lattice, and 

further wherein, according to the security policy stored in said database and the computer system, 
a range of Mandatory Access Control labels is assigned to a subject and that subject has access to . 
objects having Mandatory Access Control labels within the range, 

4. The method of claim 3 wherein according to the security-policy stored in said database and com- 
putersystenua subject assigned a range of Mandatory Access Control labels is further assigned a 
set of capabilities which allow it additional accesses .to objects having. Mandatory Access Control 
labels within the range. 

5. A security control method for a computer system, said method comprising steps of: 

(a) storing in a database of said computer system and in the computer system itself security 
policies; 

(b) continually accessing said data has* and the computer system during use thereof in order 
to determine the specific policy stored therein with respect to a particular subject presently using 
the computer system; and 

(c) allowing the subject access to said computer system only to the extent allowed by the 
results of step (b); 

wfaereio said database and the computer system contains Mandatory Access control labels for each 
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subject and object, said labels being arranged io a hierarchical lattice, and 

further wherein, according to the security policy stared in said database and in the computer sys- 
tem, & range of Mandatary Access Control labels is assigned to an object and that object is acces- 
sible to any subject having a Mandatory Access Control label within the range. 

fi. A security control method for a computer system, said method comprisiag steps oft 

(a) storing in a database of said computer system and to the computer system itself security 
policies; 

(b) continually accessing said database and the computer sysxem during use thereof in order 
to determine the specific policy stored therein wtrh respect to a particular subject presently using 
the computer system; and 

(c) allowing the subject access to said computer system only to the extent allowed by the 
results of step (b); 

wherein said database and the computer system contains Mandatory Access control labels for each 
subject and eacb object, said labels being arranged in a hierarchical lattice with each label having 
a binary security -attribute, and 

further wherein said database contains & ten attribute for each Mandatory Access Control label, 
said tew attribute being stored alongside the respective binary security attribute for each UbeL 

7. A security control method for a computer system, said method comprising steps oft 

(a) storing in a database of said computer system and in the computer system itself security 
policies; 

(b) continually accessing said database and the computer system during use thereof in order 
to determine the specific policy stored therein with respect to a parucuJar subject presendy using 
the computer system: sod 
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(c) allowing the subject access to said computer system only to the extent allowed by the 
results of step (fa); 

wherein said database and the computer system contains a. required capability set containing a plu- 
rality of capabilities for an obj ect and an effective capability set containing a plurality of capabili- 
ties for each subject and 

further wherein, according to the security policy stored in said database, a subject is only allowed 
to access an object if the subjects effective capability set includes all of the capabilities in die 
objects required capability set 

8, A security control method for a computer system, said method comprising steps of: 

(a) storing in a database of said compurer system and in the compuier system itself security 
policies; 

(o) continually accessing said database add the compurer.systera during use thereof in order 
to determine the specific policy stored therein with respect to a particular subject presendy using 
the computer system; and 

(c) allowing the subject access to said computer system only to the extent allowed by the 
results of step (b); 
wherein said database contains: 

a subject inheritable capability set containing a plurality of capabilities which a subject can pass 
on to furore program executions, 

a subject bounding capabiUry set containing an absolute upper limit on all capabilities assigned to 
a subject, and 

further wherein, according to the security policy stored in said database and the computer system, 
a subject is prohibited from passing on capabilities in its subject inheritable capability set when 
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such capabilities are act included in the subjects bounding capability set. 

9. A method of executing a program an » computer, said program including user mode operations 
winch a user specifically requests chc computer to perform and which me user usually has the capa- 
bility to perform, and system mode operations which tho system perfomu for system maintenance 
or integrity purposes, and augmented user operations in which (be system provides a few select 
capabilities to enhance those provided by the user; said method containing steps or: 

setting a subject's effective capability set equal to in inheritable capability jet during the time in 
which a sequential string of user mode operations is being executed by said computer, 

setting a subject's effective capability set equal to its permitted capability jet during the time in 
which a string of sequential system mode operations is beiag executed by said computer; and 

setting a subjects effective capability set equal to its inheritable capability jet during the rime in 
which a subsequent sequential string of user mode operations Es being executed by said computer; 

setting a subject's effective capability set equal to its inheritable capability set plus a well-defined 
set of augmenting capabilities during the time in which i suing of sequential augmented user mode 
operations is being executed by said computer. 

10. A security control method for a computer system, said method comprising steps of: 

(a) storing in a database of said computer system and in the computer system itself security 
policies; 

(b) continually Keying said database and the computer system during use thereof in order 
to determine jiie specific policy stored therein with respect to a particular subject presently using 
the computer system; and 

(c) allowing me subject access to said computer system only to the extent allowed by the 
results of step (by. 
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wherein said database contains a plurality of authenricarioo mechanism which a user must correctly 
respond to before being allowed initial access to the computer system, and 

further wherein each user can be assigned a different set of auihcnricacoa mechanism which the 
user must correctly respond to before being allowed initial access to the network. 

1 1. A security control method far a computer system, laid method comprising steps oft 

(a) storing in a database of said computer system and in the computer system itself security 
policies; 

(b) continually accessing said database and the computer system during use thereof in order 
to determine the specific policy stored therein with respect to a particular subject presendy using 
the comp uter system; and 

(c) allowing the subject access to said computer system oojyjo the extent allowed by the 
results of step (b); 

wherein said database contains an adminisirative capability set containing a plurality of capabili- 
ties, each capability being a different type of privilege which can adnnmstratar can confer upon 
subjects; and 

further wherein according to the security policy stored in said database, an administrator is prohib- 
ited from assigning a subject a capability which is not in the administrator's administraiive capa- 
bilities set. 
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3. Detailed Description of Invention 
Field of the invention 

The present invention relates to a computer system and specifically to a set of security mechanisms 
for a computer system. Tbe security system precisely controls who has access to a computer system 
ud the extent of access to the system's resources once the system is accessed. 

Background of the invention 

Within a single company or government agency, is more and more computers become connected 
together into Urge computer networks, sometimes stretching across the globe, it becomes increas- 
ingly important to protect me information on the computer system from unauthorized access. Such 
unauthorized access could come from outside the organization, bin oftentimes it comes from within 
the organization. For example, a lever level employee could gain access to sensitive information 
concerning employes salaries or future plans of the organization. 

Data General Corporation, the assignee of the present application, has been active in this field, and 
introduced a computer security system in August of 1994. This computer security system was 
tightly integrated with Data General's industry leading DG/UX Unix-based operating- system and 
formed an integral component of the DG/UX operating system architecture. While this security 
system provided a certain level of control, it suffered from the following drawbacks. 

One of the main problems with the prior security system is that in order to allow a user to perform 
an administrative action on (he system, it was necessary to give this user total access to the entire 
system. For example, if a lower level adnimisirative user is hired into the adminismuion depart- 
ment of a targe company to maintain a log of valid users, this lower level user would have to be 
given "super-user" access to the entire computer system, and could thus access everyone's priv&io 
files and could potentially read and/or alter company sensitive data. Another problem involves 
viruses thai can be introduced in a computer system. The prior system did nor isolate viruses to 
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protect valuable files, nor did it take positive steps to prevent virtues from occurring in the first 
place, even if being run by an adnamstratrve user. 

Summary of the inventioa 

The present invention is drawn co a security system for a computer system in which specific ! imi- 
tations are imposed on who has access to exactly what computer functions and data oo the com- 
puter system. As a consequence of the specific implementation of the security system of the present 
invention, viruses are securely contained and prevented from expanding into areas where (bey can 
destroy stored programs or data. Viruses are also prevented from being introduced or propagating 
in a large number of instances. 

The security system of the invention basically involves breaking up the totality of computer func- 
tions into required privileges and assigning different privileges to each user depending on the par- 
ticular job which that user is to do on the computer system 

Also, security labels are placed on each data file or other system resource, and on each user process. 
A hierarchy of labels is created ranging from highly secret to commonly accessible and strict pol- 
icies are enforced by the security system based on these labels co determine who has whai type of 
access to which data files or other system resource. According to the invention, a range of these 
labels is assigned to a particular user process to define a clearance range in which the process is 
allowed to operate. Further, the hierarchy of labels is divided into a small number (for example 3) 
of regions, and a user process operating on one region is generally not allowed to access another 
region except in a Yery carefully proscribed manner. 

Further, u owner of a data file is allowed to placo restrictions on the file so that aaiy users who 
posses certain capabi lines can gain access to the hie. 
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Detailed DescriptioD of Che preferred embodiments 
Definitions 

The following commonly occurring twins in this application are hereby defined as follows: 
subject: an active entity of the computer system which either accesses objects or causes the system 
state to change (for example, a process operating on a user's behalf). 

process; m actively running program, often running on a user's behalf with a. se: of credentials 
identifying who that user i3 and embodied with the access rights of that user. 

object a target of an opcrarioa. often a passive element of the computer system which receives and 
stores data (for e;iample. a data file or a program). 

mention: a request for service from the system (for example, a request to open a file for read and 
write access). 

Capability mechanism for privileges 

The securiry system of (he present invention allows each process to be assigned a sec of capabili- 
ties (or privileges) which it can invoke during its existence. One example of a capability is the 
ability to open a file to which the system would normally deny access, another is performing a 
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restricted operation, such as shutting down the system, which is act available to regular users. 
This set of possible capabilities which a process may invoke when deeded is called the subject 
permitted capability set (see 1 03a and 1 03b in Figure I). 

Each process also has a. subject effective capability sot (1 04a and 1 04b) which is a subset of the 
permitted capability set, and is the set of capabilities thai the process is currently asserting to per- 
form operations. That is. the effective set is what the system considers when making an access 
control decision, while me permitted set is the upper limit of what can be included in the eSecnvo 



Sometimes during execution of a particular program, a process' permitted capability set must be 
temporarily expanded to include capabilities which the user does not possess in the normal course 
of business. For example, the user may decide to change bis password. To do this, tbe user must 
update the system ules which store his password and other associated information. However, the 
user is not usually allowed access to these files, so the change password program must provide the 
ability to access these files. The program is responsible for ensuring that the extra capabilities are 
only used for the purpose for which they were intended, and the extra capabilities are automati- 
cally removed when the change password program terminates. 

Such extra capabiHries are stored as the object permitted capability set ( 106) on the program. The 
capabilities in this set are temporarily granted to * process while it is running thai program. The 
object may also have other capability sets associated with it which change me capabilities 
assigned to any process that runs the program as shown in Figure 1 . For example, when a process 
starts running a program, the object permitted capabilities are added to the process' 
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capabilities by a set union operator (11 0), and the sub jeer permitted set is limited co the subject 
bounding set (discussed below) by the set intersection operator (109). 

The set 1 02a is the subject inheritable capability set and represents the set of capabilities which a 
process can pass on co liter programs run by the process. Thai is, the capabilities in this set are the 
ones thai this process cormally possesses, without additions from any object permitted capability 
Set. The subject inheritable set before program initialization (1 02a) basically becomes toe new 
subject inheritable set after the program starts (102b), except for Applicant's added security mea- 
sures concerning a bounding set,, which will be explained below. It is by this mechanism that 
capabilities acquired from an object permitted capability set are prevented from passing to later 
programs, since such enhanced capabilities are never added to the subject inheritable set. 

The above structure has been included in-EEE POSDC security system in the past Applicant has 
added a failsafe mechanism to the above basic structure as follows. 

A subject bounding capability set (10 la. 10 lb) is defined, and is the largest group of capabilities 
which may ever be acquired by a process. It is not possible for a process to increase its bounding 
set As shown in Figure I, this set may be decreased (far example if an object bounding set is 
smaller than the original subject bounding set), and it serves as a limit on all other subject capabil- 
ity sets. This effectively reduces the process' ability to acquire capabilities and thus serves as a 
failsafe mechanism. Far example, a user who is oot authorized to perform administrative func- 
tions may be assigned a relatively small bounding set Even if this user manages to take on an 
administrative identity, their boundiog set will prevent them from acquiring the associated capa- 
bilities, and thus greatly reduce (or even eliminate) the potential for damage to (be system. 
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A3 i further check, nrh executable program may also have an object bounding capability set 
(105) which is intersected with the subject bounding capability jet (10 1 a) during initialization of a 
pro gram to farm the new subject bounding set ( 10 lb) which will be effective while the program 
runs. Since this new bounding set also limits alt the other subject capability sett, in particular the 
permitted and effective sets (103b and 104b respectively), this provides a mechanism for prevent- 
. ing a given program from being run with particular capabilities. 

Event Mechanism 

If the implementation were to directly check for the presence of a particular capability in the pro- 
cess* subject effective set whenever it wished to check fop privilege, the actual security policy 
being enforced with respect to capabilities would have to be determined by Applicant, and indi- 
vidual-sites would have to use that same policy. To avoid tbis, and allow the security policy 
enforced by the system to be configurable by each she w meet its individual requirements, privi- 
lege checks are done by means of "events". An event is defined u "a place in the code where a 
seairity-reievint decision is made or recorded**. When the system aeeds to check whether a pro- 
cess should be allowed to perform some operation, it uses the unique event aame defined for that 
particular privilege check to look up, in a table, the capability or capabilities which the process 
must possess to pass the check. By providing a mechanism for individual sites to modify the event 
name-to-capabiliry table, the site can configure the system to enforce their own security policy, in 
addition to. or instead of. the supplied eveaVcapabfliry policy delivered with the security system. 

Operation Bracketing 

While a subject is executing an object program, the state of die procesi' subject effective capabil- 
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icy sec ( 1 04b) is changed periodically to reflect the type of operation currently being performed. 
Three different types of operation* are defined. 

Firstly, x user operation is one that should be p erfotm ed with only the capabilities that arc nor- 
mally assigned to the user. For example, when a user requests a file be printed, accessing the 
requested file is a user operation. In this case, the process' effective capability set (1 04b) is set 
equal to its inheritable set (1 02b), since this contains the user's capabilities with do coruribunon 
from an object permitted set ( 106). This state is maintained as long as the program performs user 
operations. 

Secondly , a system operation is one which the system needs to succeed if possible. For example, 
in the print request above, the system may copy the file to a spool area, which is normally inacces- 
sible to users, before printing it This copy is a system operation, since it must succeed for the file 
to print. In this case, the process* effective capability set (104b) is set equal to its permitted capa- 
bility set (103b). which represents the user's capabilities plus any object permitted capabilities 
(106). 

Finally, an augmented uzer operation is one which needs access to one or more capabilities from 
the object permitted set (106), but despite tttis is essentially a user operation. An example is set- 
ting an object permitted capability set on a program, which requires a special capability that no 
user or administrator normally possesses. If -the program to set such a capability set decides to 
allow the operation, it aeeds to enable this particular capability, but it should not enable other 
object permitted capabilities it may have, since this may gram the user a c c ess to the target pro- 
gram which he would not normally have. In this case, the process: effective set ( 1 04b) is sex equal 
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to the subject inheritable set (1 02b) with the addition of particular capabilities from the subject 
pcnnioedjct(l03b). 

The term "brackenog" refers to enabling extra capabilities in the subject effective set (1 04b) just 
before a system or augmented user operation and disabling them immediately after the operation. 
In the prior art, bracketing was dons around each user operation (even though there may have 
been many is a row) This involved significant analysts, to determine the capabilities required for 
each operation, ud also computational effort, to compute and modify the effective set (104b) so 
often. 

According co die present invention, as shown in Figure 2, the program establishes the effective 
capability state (104b) for user operations wben it starts. This capability state is maintained as 
long as the program is per fo r mi ng user operations. When it comes rime co perform a system or 
augmented user operation, the appropriate capabilities are enabled in me effective capability sex 
(104b) immediately prior to the operation, and the user-operation capability set is reset in the 
effective capability set immediately after the operation. This enabling and disabling of extra capa- 
bilities before and after the system or augmented user operation form a "bracket" around the oper- 
arioo. In this way, the program is usually running with only the user's capabilirics, except at 
specific places where we identify system or augmented user operations, when extra capabilities 
are enabled. Enabling all available capabilities for a system operation instead of just those specif- 
ically needed for that operation is acceptable, since all operations are such that having exrxa, unre- 
lated, capabilities will not affect the outcome of the operation. 

Since the present invention brackets much less often than the prior art. much analysis and conmu- 
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rational effort is saved. Hut is. there is ao need to adjust the effective capability set (104b) far 
each user operation. Instead, the capabilities with which cbe user aormally runs are used- 
Mandatory Access Control 

The above discussion of capabilities related to the security system's ability to allow checks to be 
placed on a process concerning exactly which opexanou it can perform. According to the inven- 
tion, further checks can be placed on a subject's access to particular objects. 

According to well-known Mandatory Access Control (MAC) theory* labels are applied to each 
object and each subject. Each label consists of two^omponeots: 

1. a hierarchy component, which is ordered and denotes a level of sensitivity (e.g„ unclassified, 
secret, top secret, etc.); and 

2. a category set component, which is aoQ-ordered and denotes the arca(s) of interest (eg., mar- 
keting, reseircb-and-development, personnel, etc.). 

These MAC labels form a mathematical lattice. An example of such a label is u Seeren(SuperCat, 
Marketing)**. This label refers to an object (eg., a data file containing market research infotraa- 
doo) wbich is at the "Secret" level of sensitivity and relates to both the "SuperCar" and '■Market- 
ing'* areas of interest. 

A first label dominoes (i.e.. is higher than) a second label if 

I . the hierarchical component of the first label is greater than or equal to the hierarchical compo- 
nent of the second label and 
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Z. the category set of the secoad label is a subset (i.c is contained within) the category set of the 
first labeL 

Thus, given cwo labels, the first may dominate the second, the secoad may dominate the first, each 
may dominate the other (in which case the two labels are equal), or Qeither may dominate the 
other (in which case the labels arc said to be "incomparable'*). 

A subject can read an object when the subject's label dominates the object's label (including the 
case where the labels are equal). This is call "read-down". A subject can write to aa object when 
the object label dominates the subject label which is called "write-up". 

The present Invention implements a stricter base policy of "read-down. write-equal". where a sub- 
ject can write to an object only if the subject .and object labels are equal 

MAC ranges 

In me prior arc a process running at a particular MAC label could only tead an object with a label 
dominated by the process" labeL If it were desired to give a user mote access than this base policy 
allowed, the user's process would had to be granted total access to all objects in the computer sys- 
tem. In me UNIX operating system, such a user is known as a "supewser" (or "root"), to order w 
perform one restricted operation, a user had to be given the ability to perform all restricted opera- 
tions. This is typically highly undesirable in practice. 

Applicant has overcome this problem by a combination of the capability mechanism described 
above and assigning a MAC ranee (a range of MAC labels) to a process (in addition to the pro- 
cess' MAC label). As shown in Figured, the range has an upper bound (the highest MAC label 
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io the range) and i lower bound (the lowest MAC label in the mage), and the upper bound domi- 
nates the lower bound. Such a MAC range forms i sublarticc of the entire MAC lattice. 

The capability mechanism provides capabilities which allow a process to override the basic sys- 
tem MAC policy when accessing objects wim labels within the process' MAC range. For exam- 
ple, a process' capabilities can be configured to allow write access to any object whose MAC 
label is higher than the process* label but rail within the process' MAC range ("write-up-wixhio- 
range"). Other capabilities allow '*read-up-within-range** and -wrfte-down-withio-range*', which 
have definitions similar to the above. 

Applicant's MAC ranges, combined with the capability mechanism, thus allows & user to be given 
increased access to a well-defined set of objects (i.e,, those with MAC labels within die process' 
MAC range) without giving chat user any increased access to other objeczs on the system. 

In addition to the above embodiment (see Figure f ), a MAC range con be denned with respect to 
a particular object. As long as the subject's MAC label is in between the upper and lower bounds 
of the object's MAC range (each of subjects t . 2 and 3 in Fig. *h \ it is granted write-only access 
to the object. Read access requires that the subject's MAC label dominate the upper bound of the 
object's MAC range. Read/write access ts thus only granted to a process wbose MAC label is 
equal to the upper bound of the object's range. 

This way, a range of users at various MAC labels can be allowed to write to aa object (e.g., a log 
file in which users record daily transactions) without necessarily giving them the ability to read 
what others bave written. 
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MAC regions 

The basic MAC policy (read-down, write^qunl) has been found by Applicant to be [uniting and 
to result in various problems. 

Firstly, if an administrator is performing an administrative action, he/she is able to "read down" to 
any MAC label below the label of their process. Many administrative processes are typically run 
in the upper porrioa of the MAC lattice, so thai regular (con-administrative) users cannot a c c es s 
administrative objects. Thus if a low-levei user (c^a high-school student) is given a limited 
administrative role (such as adding and removing users in a targe company which gains and loses 
many employees each month), mat user would be able to access anything dominated by their 
administrative MAC label. As an example, the Low-level administrative employee could gain 
access to the electronic mailboxes , of the senior company officials. 

Secondly, a program run by a user may contain malicious code, such as a virus, which could mod- 
ify or destroy other programs and files on the system. If an administrator runs such a program, the 
system executables may be modified, and may perform unauthorized actions when later run by 
other users, such u disclosing information intended to be kept secret. 

Applicant has salved these problems by dividing the totaliry of MAC hierarchies into a small 
number of distinct and non-overlapping regions. For example, as shown in Figurcf , three regions 
can be used: on administrative region (41), a user region (42) and a virus prevention region (43). 
The administrative region is located at the highest MAC hierarchies, the virus prevention region 
is at the lowest MAC hierarchies, and the user region is in between. Effective policy restrictions 
are placed on processes in oae region accessing objects in another region so that problems such as 
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described above art overcome. 

For example, i process running with a MAC label in the administrative region gains access to 
objects in (be user and virus prevention regions not tttougti lis (adnani^cranvc) MAC label but 
rather through the upper bound of ic MAC range (which by definition is in the user region). By 
giving an administrator a MAC range whose upper limit is at the bottom of the user region, it is 
thus possible to prevent the administrator from accessing most or even all of the files in the user 
region. 

Likewise, a special capability is required to write to the virus prevention region, and this capabil- 
ity is typically granted only to the administrator responsible for installing software, not to other 
administrators or users. The system execmables are stored in (he virus prevention region so they 
gain the benefit of this write-protecrioo. When a process runs a program, a copy of the program is 
made into memory allocated to that process. If the program contains malicious code which 
attempts to modify any objects tn the virus prevention region (where all system executable* and 
many other system files are placed), access will be denied. The virus is thus effectively contained 
and is unable to spread and do further damage. 

There are do capabilities which allow a process m override me reswicaous on access to objects m 
different MAC regions. This allows for the cooLaimncm of administrative authority by limioag 
the access of various administrators to only those objects they need to get their job done. 

Trusted Facility Mode 

Further to the MAC regions aspects discussed above, the present invention provides extra security 
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and extra virus protection in ta« a process is only allowed to execute a program if thai program is 
stared in the virus prevention region (43). This can be achieved, for e x a mp le, by performing a 
check on each program before it is executed to make sure the software resides in the virus preven- 
tion region (43). The virus prevention region (43) is thus the only place which can conxain poten- 
tially executable programs for processes running in Trusted Facility Mode. This provides an 
expanded amount of control because the system administrators can decide exactly which programs 
will be made available to users. 

With the Trusted Facility Mode aspect of the invention, usexs are unab le to, for example, download 
and tun programs from the Internet (using eg. File Transfer Protocol). External programs are a 
common source of viruses. Therefore, by preventing external programs from being run on the com- 
puter system, viruses can be prevented in a large dumber of instances. 

Trusted Facility Mode also helps to prevent idmtrijirauve abuse by preventing administrators 
from running programs thai are not officially installed in the virus prevention region. 

Multilevel Directories 

When creating a Ole system object, a subject is actually writing to a directory listing each file sys- 

.... ' . i . i: i \ i * i~ . ..k.'aMi mitt h» ot thm tzumr: 
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subject carries a special capability designed for this purpose. 
Text Attributes 

When [be hierarchical and categorical components of MAC labels are stored, they are generally 
stored as binary values called binary security attributes. According to an aspect of the invention, 
text attributes (52) are stored alongside their corresponding binary security attributes (5 1). Then, 
if it is desired to change die binary security attributes associated with a text attribute (e.g« if the 
hierarchical component of a label is » be changed from "secret" to "top secret") the system 
searches for the text attributes and when it finds it, the binary security attribute stored alongside the 
found text attribute is changed. 

This creates the advantage of act having to search for the binary inribme. which avoids finding 
equivalent binary values that are not associated with the text attribute and should aot change simply 
because the binary value associated with the text attribute has changed. If such binary values were 
changed, important data elsewhere on the system could be lost or compromised. 

Capability Access Control 

The security system of the invention provides an additional level of control in which the owner of 
an object is allowed to place a desired amount of protection on the object, to protect the object from 
unauthorized access. 

Specifically, the owner of an object assigns a set of capabilities (a required capability set) to an 
object. In order for a process to access the object (eg., to obtain read/write access to a data file), 
the process must contain, in its effective capability set, all of the capabilities which the object 
owner has assigned to. die object required capabiliry set. 

An important aspect of Capability Access Control (CAQ is that no overrides to this policy are pos- 
sible. That is. there is ao way that special capabilities can be assigned to or acquired by an process 
to override the CAC policy. Therefore, even high level administrators must have the entire required 
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capability set to jaio access to a CAC protected object. This provides a high level of protection 
against administrative abuse. 

Session Monitor 

The Sesstoa Monitor is the pan of the security system wbich controls the manner in which a user 
or administrator initially gains access to the computer system, and the manner in which a user or 
administrator changes from their current mode of a cce ss to a different mode (for example, from 
user to administrator). The Session Monitor also participates in enforcing the security system's 
containment policy by limiting bom user and administrator security credentials, bo T a " ff T ' what 
their current mode of access, to maximum values established upon the said user's or administra- 
tor's initial access to the system. 

The'Sesston Monitor has been designed to be extensible, to the sense tnai-the owner of the secu- 
rity system can incorporate their own software to change access mode of a user or administrator, 
or to process authentication transactions before allowing a user or administrator access to the sys- 
tem, in either an existing mode or a.aew mode implemented by the said software. In either case, 
integration with the supplied security system is accomplished by writing me new software to 
function against interfaces delivered as pan of the security system, following policy guidelines 
also included with the security system. After installation of laid new software, administration of 
the new access mode fuscuon(s) and/or me new aumenticanon fUncu'cn(s) is accomplished in the 

same way, using the same mechanisms, as administration of the access modes and auihentication 
method(s) delivered with the original security system. 

The Session Monitor bas also been designed around the concept that different access modes might 
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require different credentials and differed authentication procedures. Consequently any oae of the 
supported access modes, either originally delivered with the security system or written and 
installed by the owner, may require a different series of authentication steps than any other of die 
laid ffn modes, including authentication steps that are processed usiag software written and 
installed by the owner of the said security system. Similarly, the Session Monitor may assign any 
supported access mode, cither originally delivered with the security system or written and 
installed by the owner, a different set of security credentials. However, the security cr edentia l s 
available to any user, regardless of access mode, are limited to Tunrirmim values established upon 
the said user's (or administrator's) initial access to the system. 

Administrative Set-Permitted Capability Set 

One instance-of the security system's general containment policy is the manner in which the 
invention controls an administrator's ability to assign permitted capability sets to programs and 
other objects. When the said adnrinistrainr first accesses die system (which access must be as an 
ordinary user), the Session Monitor identifies*! maximum set of capabilities that the said user will 
be allowed to assign as permitted capabilities on any object throughout the term of me said access 
to the system, notwithstanding any changes in the mode of said access. When the said user 
changes their access mode to become an administrator, the Session Monitor preserves dns limit in 
the credentials of their new access mode: and wben the said operation is atrempted. the system 
permits only die said capabilities to be so assigned, without regard to the role or access mode in 
which the said user is currently executing. 

The advantage over prior an is that in the present invention different users may be assigned differ- 
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em containment limits, which apply to any action the said users attempt without regard co their 
ciurcat access mode, including administrative modes. Thus the anions allowed by administrators 
can be controlled to i pcr-uscr granularity, which feature can be used to reduce the risks associ- 
ated with system administration. 

Reference Monitor 

The Reference Monitor is the entity that mediates all requests for access to an object by a subject, 
and thus controls whether, and to what extent, the subject is granted, access to the object. Such & 
Reference Monitor can be found in the earlier version of Data General's security system discussed 
ia the Background of the Invention above. The various subject-co-object access policies described 
above can be implemented by storing various policy data in an Information Security Policy Table 
database, which is maintained as part bfthe Reference Monitor. 

The Infonrurioa Security Policy Table database contains policy modules which the Reference 
Monitor must invoke to check access. This table con be configured when the system software is 
first installed, to meet the specific security policy of the specific computer system. Funfact, the 
table can be altered when the security policy of the enterprise changes- 

The database discussed above is stored, along with the operating system software, on a computer 
systccn storage medium such as a hard drive. CD-ROM or semiconductor based memory. The 
computer system continually accesses this database to determine and set the security policy. 

The present invention is not limned by the above-described embodiments, but only by the spirit 
and .scope of the appended claims. 
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4. Brief Description of Drawings 

Figure t Shows a block diagram of capability sea and their interaction when starring a program, 
according to a preferred embodiment of the present invention: 

Figure 2 illustrates operation bracketing according to an embodiment of the present invention; 
Figures 3 and ? illustrate MAC ranges oo process and objects rcspecriveh/, according to embod- 
iments af the present invention; 

Figure 5 illustrates MAC regions according to an embodiment of me present invention; and 
Figure 6 aiustroes Text Attributes according to an embodiment of me present invention. 
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Figure 1: Evaluation of Capabilities during Program laitializadoa 
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Start of Program 



Establish User capability state 



User Operation 1 
User Operation 2 
User Operation 3 



User Operation 50 
Establish System capability state 
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User Operation 51 
User Operation 52 



User Operation 75 
Establish Augmented User capability state 
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Uses. Operation 76 
End of program 
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Figure 6 Text Attributes on Objects 
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1. Abstract 

A security system for & computer system, imposes specific limjurions on who has access to the 
computer sy stcaa and to exactty what operarioas aod dan. Viruses arc securely contained and pre- 
vented from expanding into areas where they can destroy stored programs or dam. Virtues are also 
prevented from being introduced or executed in a large number of instances. The totality of com- 
puter funcrionj is broken up into a set of events with u associated set of capabilities and different 
capabilities are assigned to each user depending on the particular job which that user is to do on 
the computer system. Abo, security lab ds are placed on each data, file and other system resources, 
and an each process. Further, a range of hierarchy/category labels (MAC labels) is assigned to 
process to define a sub-lam ce in which special capabilities can apply. Further, the hierarchy of 
labels is divided imo a small number (for example 3) of regions, and a process operating in one 
region is generally not allowed to cross over imo another region. Further, an owner of a dam file is 
allowed to place restrictions on the file so thai only users who posses certain privileges can gain 
access to the file. 



2 . Representative Drawing 
Fig.l 



